Skip to content

Instantly share code, notes, and snippets.

@peabnuts123

peabnuts123/README.md

Last active October 10, 2022 00:11
Show Gist options
  • Save peabnuts123/85e51e5984bf75ce257e6b3a1bddba1d to your computer and use it in GitHub Desktop.
Save peabnuts123/85e51e5984bf75ce257e6b3a1bddba1d to your computer and use it in GitHub Desktop.
Download ZIP
Suggestion for Sumo Logic Slack notification payloads
Raw
README.md

Sumo Logic Slack notification payloads

The default notification payloads for Slack are very out of date and recovery payloads cannot be edited at all. This means notifications sent to Slack have an unavoidably poor experience.

Problems with current default template

The current template has several issues which should be changed:

  1. Slack has labled the "attachments" API as legacy functionality and explicitly recommends using the Block Kit API instead. [source]
  2. Sharing a message posted using the default template simply embeds the message into a new message, rather than posting a link to the message
    • I can only assume this is because the contents of the message are "attachments"
  3. text property is missing, preventing Slack from generating previews of messages in notifications
    • Messages sent using the existing payload are shown as [no preview available] in notifications
    • This field is marked as required in the Slack API docs [source]
  4. The entire Query is displayed in the text of the notification
    • This is redundant as the URL clicks through to a Sumo Logic search of the same query
    • It also gets out of hand very quickly with even a modest query, making the alerts very hard to read
    • The embedding of the full text of the query also makes it extremely easy to break the formatting on Slack

Suggested changes

The suggestions are summarised as follows:

  1. Use Slack's Block Kit API in place of the legacy attachment API
  2. Include a text property in the payload for message previews
  3. Simply include a link to the query with a fixed label instead of the query text
  4. Where possible, link to the AlertResponseURL instead of an arbitrary Sumo Logic query

Additionally, redundant fields (such as including both TriggerTime and TriggerTimeRange) in the notification should be consolidated.

Files in this gist

There are two sets of files: alert and recovery. Each set has two files: current and suggestion. The current files represent what the payload currently is, and the suggestion files represent a suggested payload to replace it. alert files are for critical/warning etc notifications, and recovery files are for notifications sent when a monitor is resolved.

Raw
alert_current.json
{
"attachments": [
{
"pretext": "{{TriggerType}} Alert: {{AlertName}}",
"fields": [
{
"title": "Alert URL",
"value": "{{AlertResponseURL}}"
},
{
"title": "Description",
"value": "{{Description}}"
},
{
"title": "Trigger Time",
"value": "{{TriggerTime}}"
},
{
"title": "Time Range",
"value": "{{TriggerTimeRange}}"
},
{
"title": "Trigger Condition",
"value": "{{TriggerCondition}}"
},
{
"title": "Trigger Value",
"value": "{{TriggerValue}}"
},
{
"title": "Query",
"value": "<{{QueryURL}} | {{Query}}>"
}
],
"mrkdwn_in": ["text", "pretext"],
"color": "#29A1E6"
}
]
}
Raw
alert_suggestion.json
{
"text": "Sumo Logic Alert - {{TriggerType}}: {{AlertName}}",
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "Sumo Logic Alert - {{TriggerType}}: {{AlertName}}",
"emoji": true
}
},
{
"type": "section",
"text": {
"type": "plain_text",
"text": "{{Description}}",
"emoji": true
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Alert*"
},
{
"type": "mrkdwn",
"text": "_<{{AlertResponseURL}}|View alert in Sumo Logic>_"
},
{
"type": "mrkdwn",
"text": "*Time Range*"
},
{
"type": "plain_text",
"text": "{{TriggerTimeRange}}"
},
{
"type": "mrkdwn",
"text": "*Trigger Condition*"
},
{
"type": "plain_text",
"text": "{{TriggerCondition}}"
},
{
"type": "mrkdwn",
"text": "*Trigger Value*"
},
{
"type": "plain_text",
"text": "{{TriggerValue}}"
}
]
}
]
}
Raw
recovery_current.json
{
"attachments": [
{
"pretext": "Sumo Logic Alert *Resolved: {{AlertName}}*",
"fields": [
{
"title": "Details",
"value": "Monitor {{AlertName}} has recovered at {{TriggerTime}}"
},
{
"title": "Description",
"value": "{{Description}}"
},
{
"title": "Time Range",
"value": "{{TriggerTimeRange}}"
},
{
"title": "Trigger Condition",
"value": "{{TriggerCondition}}"
},
{
"title": "Query",
"value": "<{{QueryURL}} | {{Query}}>"
}
],
"mrkdwn_in": ["text", "pretext"],
"color": "#29A1E6"
}
]
}
Raw
recovery_suggestion.json
{
"text": "Sumo Logic Alert - Resolved: {{AlertName}}",
"blocks": [
{
"type": "header",
"text": {
"type": "plain_text",
"text": "Sumo Logic Alert - Resolved: {{AlertName}}",
"emoji": true
}
},
{
"type": "section",
"text": {
"type": "plain_text",
"text": "{{Description}}",
"emoji": true
}
},
{
"type": "section",
"fields": [
{
"type": "mrkdwn",
"text": "*Time Range*"
},
{
"type": "plain_text",
"text": "{{TriggerTimeRange}}"
},
{
"type": "mrkdwn",
"text": "*Trigger Condition*"
},
{
"type": "plain_text",
"text": "{{TriggerCondition}}"
},
{
"type": "mrkdwn",
"text": "*Query*"
},
{
"type": "mrkdwn",
"text": "_<{{QueryURL}}|View query in Sumo Logic>_"
}
]
}
]
}
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment